undefined | Better HN

0 pointssteveklabnik8y ago0 comments

It uses libgit2 for this; I don't know what specific attack vector you're thinking about though.

0 comments

lima8y ago

Git's on disk format has a massive attack surface.

Do not run "git" in untrusted directories. It is not hardened against that (as opposed to the network protocol).

That probably includes libgit2 unless it explicitly states the opposite.

The blurb made it sound like it checks the git status by default. But this isn't the case. You have to explicitly ask for with --git. Never mind then.

j / k navigate · click thread line to collapse

0 comments

lima8y ago

Git's on disk format has a massive attack surface.

Do not run "git" in untrusted directories. It is not hardened against that (as opposed to the network protocol).

That probably includes libgit2 unless it explicitly states the opposite.

jwilk8y ago

The blurb made it sound like it checks the git status by default. But this isn't the case. You have to explicitly ask for with --git. Never mind then.

j / k navigate · click thread line to collapse